[tibbar]

Some of you may have seen my inital work on codecrypter posted on GSO.

I have reached the stage where I am crypting all PE section apart from .idata, which is yielding 100% antidetection on all malware tested so far.

So now I reach the next stage, how to ensure that a signature cannot be found to identify files encrypted with codeCrypter.

Initally, I worked on inserting random "junk nops" into the stub code that does the decrypting, i.e.

push EAX;
mov EAX, 0;
pop EAX;

could be used as a junk nop.

as could:

add EAX, 5;
sub EAX, 5;

etc etc...

This might work, although a paper on the CodeBreaker-Journal implies that some AV can detect junk nops, and exclude them when checking against a signature...

So I decided to take this to the next level.

Instead of just adding junk nops, I will create an engine that modifies the code with equivalent operations.

For instance,

mov EAX, 5;

is equivalent to:

push 5;
pop EAX;

so I will develop a library of equivalent operations for every x86 instruction commonly used. The engine will then:

1) disassemble each instruction in a section of code;
2) select a random equivalent operation;
3) calculate extra space required to fit new equivalent operations and insert space in code;
4) assemble the equivalent operations.

Once this is complete, the engine will then insert random junk nops for good measure.


Now, this actually has been done before. Zombie wrote code pervertor which could achieve this but only for instructions that have an equivalent instruction of equal size in bytes when assembled. I will be taking this to the next level.

What then occured to me, is why purely crypt the code section of the PE File. I can use this perverting engine to alter both the malware's code section before crypting it and my stub. This will mean that even when AV move to scanning process memory (as opposed to scanning the disk image of a process), it will still remain undetected.

Before I begin this long project, are there any comments on my plans or suggestions of things I may be forgetting?

If all goes to plan, we will be seeing the next era in AV technologies being forced into play.

It will no longer be sufficient to scan for signatures, and the actual behaviour of an application will need to be analysed in a sandbox, before it can be classified "clean".

Some might see this project as potentially dangerous, since it will enable anyone to create unique versions of existing malware at the press of a button.

However, I reached the view that the extreme ease with which malware can be made undetected from current AV is unacceptable from a security standpoint.

Any non-public packer will beat all AV on the market today, and a packer is very easy to write, for any seasoned programmer.

The only reason AV firms are able to continue with their current practice, is that once a packer goes public, they can put a signature on the packer.

Once complete, this project will make it impossible to recognise that a file has been packed, and hence AV will be forced to reconsider the methods they use.

The long term benefit of this will be that private packers will no longer be able to hide malware from AV and we should therefore enjoy safer systems.

[AdmiralB]

well av will need to rewrite their entire detection systems
leaving a window of opportunity for undetectable viruses
to slip in for the time being :\

[nolimit]

Sometimes you have to step back before you can leap foward.
I applaud you tibbar. Let me know if you need any help.

[extreme]

Can you please explain how to manually encrypt PE section??
I know how to encrypt data section but that doesn't work with PE section :\

[tibbar]

What do you mean by "PE section"?

A PE file contains some inital structures that defines the PE sections that will be included.

I am not talking about encrypting these structures, since that would break the loader, I am talking about perverting .CODE, and encrypting .DATA, .rsrc, etc.

If you want to see how to encrypt say .CODE/.TEXT have a look at my alpha release of codeCrypter on the forum.

note that .idata cannot be encrypted, although it can be minimised to a couple of essential API from kernel32, and then rebuilt by the stub.

also note .rsrc has some inital structures that must be preserved.

The interesting part of this project is the code pervertor. For malware which has no resources, the code pervertor will be sufficient to make the file undetected. So from the AV perspective, the malware will become unknown and also will be unpacked.

This is what will break the current AV methods and force change.

[tibbar]

I have chosen ollydbg's open source disassembly/assembly engine to save me a lot of work.

This seems to be the best disassembly engine I have seen, unless anyone knows better.

[Nick W]

Is this project still underway?

[the0ne]

Hi tibbar

This sounds to good to be truth.. But I saw some of your work and I think you can do it. Would be nice if you keep us up to date ;-).

[tibbar]

the project got about 60% of the way there, i've not had time to look at it for about 4 months now.

i was at the point where i could pervert a shellcode fairly successfully, but there are some issues still to be resolved with adjusting things like JMP EAX - basically when you insert code before this point (since equiv opcodes can be bigger than what they replaced, you must adjust all JXX's, JMP's and CALL's in the code to reflect the code movement.

This is relatively easy to do for JXX but JMP and CALL are more difficult in the case where it's JMP REGISTER rather than JMP address.

The project is about 5000 lines of code now, and will take a fair bit more work to finish... unfortuntely i have more important things to worry about with work right now, so it will have to wait.

i would estimate that i have spent about 300 hours on this project so far, it will take a lot more time to finish.

[tibbar]

i have provided an example of how the pervertor worked on a stub to my packer in my blog:

http://www.blog.co.u...rversion~568650

[Nick W]

Thanks, I think I'm going to write about this myself. It's something the AV companies need to be able to address properly. We're up to what now, 26^2+? permutations for R-Bot? I believe I saw a Rbot-BAA the other day.

[Edu]

tibbar I must say this is a briliant idea. creativity is always very important. this sounds revolutionary, and when it is ready may pose a threat to antivirus company since it will make executables 100% undetected and they will have to change the way they detect malware. on the other hand it will be very good cause the security researchers, AV specialists will start thinking in another way.
congratulations u seem to be a very skilled person !

[Fireice]

Good job, you might even become second Dark Avenger and create the next generation of polymorphic viruses :ph34r:.